Approaches for managing object data

ABSTRACT

Systems and methods are provided for determining multiple fragments of data to be imported, the multiple fragments of data corresponding to different instances of data obtained from one or more external data sources, the different instances of data each corresponding to duplicate content. The multiple fragments of data that each correspond to different instances of duplicate content can be ingested. The multiple fragments of data can be de-duplicated to determine one or more corresponding object data source records (DSRs). The one or more object DSRs can be imported within a data platform system.

CROSS-REFERENCE TO RELATED APPLICATION

This application a continuation application of U.S. Ser. No. 17/067,492,filed Oct. 9, 2020, which claims the benefit under 35 U.S.C. 119(e) ofU.S. Provisional Application No. 62/914,383, filed Oct. 11, 2019, thecontent of which is hereby incorporated in its entirety.

FIELD OF THE INVENTION

This disclosure relates to technologies for managing object data in adata platform system.

BACKGROUND

A data integration pipeline can be used to ingest data stored indisparate data sources and represent the ingested data based on someformat. For example, the data may be ingested from various data sources,such as databases, comma-separated text files, and spreadsheets, to namesome examples. The ingested data can be represented based on a dataontology and be made accessible to users of a data platform system.

SUMMARY

Various embodiments of the present disclosure can include systems,methods, and non-transitory computer readable media configured todetermine multiple fragments of data to be imported, the multiplefragments of data corresponding to different instances of data obtainedfrom one or more external data sources, the different instances of dataeach corresponding to duplicate content. The multiple fragments of datathat each correspond to different instances of duplicate content can beingested. The multiple fragments of data can be de-duplicated todetermine one or more corresponding object data source records (DSRs).The one or more object DSRs can be imported within a data platformsystem.

In an embodiment, each ingested fragment is associated with acorresponding hash value, and wherein the hash value is determined basedon content associated with the ingested fragment.

In an embodiment, de-duplicating the multiple fragments of data furtherincludes de-duplicating the multiple fragments of data based on theirrespective hash values.

In an embodiment, fragments having a same first hash value areassociated with a first object DSR, and wherein fragments having a samesecond hash value are associated with a second object DSR.

In an embodiment, de-duplicating the multiple fragments of data furtherincludes de-duplicating the multiple fragments of data based on theirrespective hash values and other information associated with thefragments.

In an embodiment, the fragments are de-duplicated based on theirrespective hash values and access control identifiers associated withthe fragments.

In an embodiment, fragments having a same first hash value and a firstaccess control identifier are associated with a first object DSR, andwherein fragments having the same first hash value and a second accesscontrol identifier are associated with a second object DSR.

In an embodiment, the single object DSR supports a property associatedwith an object managed by the data platform system.

In an embodiment, the systems, methods, and non-transitory computerreadable media are configured to determine a modification of ade-duplicated first fragment that has been imported into the dataplatform system as a first object DSR and applying one or more rules formanaging one or more data source records associated with thede-duplicated fragment and the first object DSR in the data platformsystem.

In an embodiment, the systems, methods, and non-transitory computerreadable media are configured to enforce a set of invariants that managerelationships between de-duplicated fragments and corresponding objectDSRs and generate an error log entry when an invariant is breached.

These and other features of the systems, methods, and non-transitorycomputer readable media disclosed herein, as well as the methods ofoperation and functions of the related elements of structure and thecombination of parts and economies of manufacture, will become moreapparent upon consideration of the following description and theappended claims with reference to the accompanying drawings, all ofwhich form a part of this specification, wherein like reference numeralsdesignate corresponding parts in the various figures. It is to beexpressly understood, however, that the drawings are for purposes ofillustration and description only and are not intended as a definitionof the limits of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

Certain features of various embodiments of the present technology areset forth with particularity in the appended claims. A betterunderstanding of the features and advantages of the technology will beobtained by reference to the following detailed description that setsforth illustrative embodiments, in which the principles of the inventionare utilized, and the accompanying drawings of which:

FIGS. 1A-1D illustrate example diagrams, in accordance with variousembodiments.

FIG. 2 illustrates an example computing environment, in accordance withvarious embodiments.

FIG. 3 illustrates a flowchart of an example method, in accordance withvarious embodiments.

FIG. 4 illustrates a flowchart of another example method, in accordancewith various embodiments.

FIG. 5 illustrates a block diagram of an example computer system inwhich any of the embodiments described herein may be implemented.

DETAILED DESCRIPTION

A data integration pipeline can be used to ingest data stored in variousdisparate data sources and represent the ingested data based on somecommon format. For example, the data may be ingested from various datasources, such as databases, comma-separated text files, andspreadsheets, to name some examples. The ingested data can berepresented based on a data ontology and be made accessible to users ofa data platform system. For example, FIG. 1A illustrates an exampleenvironment 100 including integration data 102, an ingestion system 112,an integration system 122, and a data platform system 152. Theintegration data 102 can include data being integrated from varioustypes of data sources, such as data stores, cloud-based storage,databases, files, and spreadsheets, to name some examples. In theexample of FIG. 1A, the integration data 102 includes a first datasource 104, a second data source 106, a third data source 108, and afourth data source 110. The first data source 104 includes a firstinstance of data corresponding to a name of a person “Bob Jones” and asecond instance of data corresponding to the name of the person “BobJones”. For example, the first and second instances of data may beprovided in different portions of a comma-separated values file.Similarly, the second data source 106 also includes another instance ofdata corresponding to the name of the person “Bob Jones”. The third datasource 108 also includes another instance of data corresponding to thename of the person “Bob Jones”. Finally, the fourth data source 110 alsoincludes another of data corresponding to the name of the person “BobJones”.

The ingestion system 112 can ingest the instances of data correspondingto the name of the person “Bob Jones” for integration with the dataplatform system 152. For example, the ingestion system 112 can ingesteach instance of data corresponding to “Bob Jones” as a fragment. Underconventional approaches, the ingestion system 112 can associate eachfragment with one or more data source records. A data source record(DSR) for a given fragment can be associated with a DSR identifier, adata source identifier, and one or more access control identifiers. Forexample, the DSR identifier can identify the ingested instance of databased on a fragment identifier and an object property with which thefragment is associated. The data source identifier can identify a datasource from which the fragment was ingested. Further, an access controllist identifier can identify an access control list that governs useraccess to the fragment.

For example, an instance of data 105 can be ingested from the first datasource 104 as a fragment “Bob Jones”. The fragment can be associatedwith a DSR identifier which indicates the instance of data 105corresponds to a “person” object and that the instance of data 105 “BobJones” is associated with a “name” property of the person object.Further, the instance of data 105 can be associated with an accesscontrol list identifier which identifies users or group of users thatare permitted to access the instance of data 105. The instance of data105 can also be associated with a data source identifier to indicate theinstance of data 105 was ingested from the first data source 104. Theingestion system 112 can import the instance of data 105 based on thisinformation. For example, when additional instances of datacorresponding to the name of the person “Bob Jones” are ingested asfragments, the ingestion system 112 can similarly associate eachfragment with a corresponding DSR identifier, an access control listidentifier, and a data source record identifier. The ingestion system112 can also determine a respective import key for each fragment. Forexample, when ingesting an instance of data 107 from the second datasource 106, the ingestion system 112 can associate the instance of data107 with a DSR identifier which indicates the instance of data 107corresponds to the same “person” object and that the instance of data107 “Bob Jones” is associated with the “name” property of the personobject. Further, the instance of data 107 can be associated with anaccess control list identifier which identifies users or group of usersthat are permitted to access the instance of data 107. The instance ofdata 107 can also be associated with a data source record identifier toindicate the instance of data 107 was ingested from the second datasource 106. The ingestion system 112 can generate an import key for theinstance of data 107 which helps distinguish the instance of data 107from other instance of data that also correspond to the name “Bob Jones”(e.g., the instance of data 105).

FIG. 1B illustrates a first set of duplicate fragments 114 and a secondfragment 116 of the ingested instances of data. For example, FIG. 1Billustrates a fragment 115 which corresponds to the instance of data 105ingested from the first data source 104 and a fragment 117 whichcorresponds to the instance of data 107 ingested from the second datasource 106. The fragments can be organized based on access controlidentifiers. For example, fragments corresponding to duplicate instancesof data that are associated with a first access control list (acl1) canbe organized into the first set of fragments 114 while fragmentscorresponding to duplicate instances of data that are associated with asecond access control list (acl2) can be organized into a second set offragments 116. In FIG. 1B, the first set of fragments 114 includesinstances of data corresponding to “Bob Jones” which were ingested aspart of the integration data 102 and are accessible to users associatedwith the first access control list (acl1). Similarly, the second set offragments 116 includes an instance of data corresponding to “Bob Jones”which was ingested as part of the integration data 102 and is accessibleto users associated with the second access control list (acl2).

The integration system 122 can represent the fragments 114, 116 asobject data based on a data ontology graph. Once represented as objectdata, the fragments 114, 116 can be accessed through the data platformsystem 152. In various embodiments, the data platform system 152 maystore and manage various data as data objects in one or more dataontology graphs. A data ontology graph may be made up of a number ofdata objects that serve as containers for data. Each data object caninclude a number of object components including, for example, aproperties component that includes structured pieces of information, amedia component that includes binary attachments of data (e.g., textdocuments, images, videos, etc.), a notes component (e.g., a free textcontainer), and one or more respective links (or edges) that associatethe object with other objects in the object graph. In some instances,the data object graph can include different types of data objects. Forexample, a data object may represent an entity (e.g., person(s),place(s), thing(s), etc.), an activity (e.g., event, incident, etc.), adocument, or multimedia. For example, FIG. 1C illustrates a conventionalintegration of the fragments 114, 116 as object representation 124. InFIG. 1C, a person object 126 is associated with a name property 128 “BobJones”. In this example, the name property 128 is associated with a setof object data source records (DSRs) 130 that each reference a fragmentin the first set of fragments 114. The name property 128 is alsoassociated with an object DSR 132 which references a fragment in thesecond set of fragments 116. In the example of FIG. 1C, the nameproperty 128 is shown associated with duplicate object DSRs 130corresponding to fragments 114 which correspond to the same content,i.e., the name “Bob Jones”. While the duplicate object DSRs 130 provideprovenance information indicating different data sources from which thename “Bob Jones” was ingested, the duplicate object DSRs 130 aregenerally irrelevant to users of the data platform system 152. Instead,the duplicate object DSRs 130 can significantly impair user experience.For example, when a user attempts to interact with the object 126, thedata platform system 152 can load details describing the object 126including properties, such as the name property 128, and correspondingobject DSRs 130, 132. As the number of duplicate object DSRs grows, sotoo does the amount of overhead needed to process the duplicate DSRs. Asa result, such conventional approaches to integrating data can becomputationally expensive. This additional burden on the data platformsystem 152 can result in significantly slower processing times which canultimately degrade user experience.

A claimed solution rooted in computer technology overcomes problemsspecifically arising in the realm of computer technology. In variousembodiments, the integration system 122 can be configured tode-duplicate fragments that correspond to identical content. Forexample, the integration system 122 can de-duplicate the fragments 114which are all associated with the first access control list andcorrespond to the same content “Bob Jones”. After de-duplication, theintegration system 122 can represent the de-duplicated fragments 114 asobject representation 142 based on the data ontology graph, asillustrated in the example of FIG. 1D. For example, rather thanincluding all of the duplicate fragments 114, FIG. 1D shows a singleobject DSR 144 that corresponds to the name “Bob Jones” and the firstaccess control list. In some embodiments, the integration system 122 cande-duplicate fragments based on duplicate content referenced by thefragments. For example, a given fragment can be associated with a hashvalue of content included in the fragment (e.g., the name “Bob Jones”).In this example, the integration system 122 can de-duplicate fragmentsbased on the hash value. FIG. 1D also shows an object DSR 146 thatcorresponds to the name “Bob Jones” and the second access control list.More details describing the disclosed technology are provided below.

FIG. 2 illustrates an example environment 200, in accordance withvarious embodiments. The example environment 200 can include at least anintegration engine 202. For example, the integration engine 202 can beimplemented in the integration system 122 of FIG. 1A. The integrationsystem 122 can include one or more processors and memory. The processorscan be configured to perform various operations by interpretingmachine-readable instructions. The integration engine 202 can access oneor more data stores 230. In general, a data store may be any device inwhich data can be stored and from which data can be retrieved. Theintegration engine 202 and the data stores 230 may be accessible eitherdirectly or over a network. The network may be any wired or wirelessnetwork through which data can be sent and received (e.g., the Internet,local area network, etc.). In various embodiments, the integrationengine 202 can include a fragment ingestion engine 204, a de-duplicationengine 206, a fragment update engine 208, and an invariant enforcementengine 210. The integration engine 202 and its sub-engines can beexecuted by the processor(s) of the integration system 122 to performvarious operations. In general, the integration engine 202 and itssub-engines can be implemented, in whole or in part, as software that iscapable of running on one or more computing devices or systems. In oneexample, the integration engine 202 and its sub-engines may beimplemented as or within a software application running on one or morecomputing devices (e.g., user or client devices) and/or one or moreservers (e.g., cloud servers). Many variations are possible.

The fragment ingestion engine 204 can be configured to ingest fragmentsthat correspond to instances of data integrated from various datasources. In various embodiments, the fragment ingestion engine 204 canassociate each ingested fragment with a data source record (DSR)identifier, one or more access control identifiers, and a data storeidentifier. The DSR identifier can include a unique fragment identifierfor the fragment. For example, a DSR identifier for a fragment canidentify a related object, object property (e.g., name(s), address,phone number, etc.), and its fragment identifier. For example, a firstfragment can be associated with a DSR identifier that identifies aperson object “Person1”, a name property of the object “Jane Doe”, and afragment identifier firstFrag. A second fragment can be associated witha DSR identifier that identifies the person object “Person2”, a nameproperty of the object “Jane Doe”, and a fragment identifier secondFrag.In various embodiments, the fragment ingestion engine 204 also generatesand assigns respective hash values to ingested fragments. For example, ahash value of a fragment can be determined based on an instance of data(e.g., content) associated with the fragment using generally knowntechniques. In some embodiments, the hash value can be determined basedon MurmurHash, a non-cryptographic hash function. For example, a hashvalue for a first fragment associated with an instance of datacorresponding to a name “Jane Doe” can be determined by hashing the data“Jane Doe”. If a second fragment is associated with a different instanceof the name “Jane Doe”, a hash value determined for this second fragmentwill still be the same as the hash value determined for the firstfragment, since the hash values are computed from the same data, i.e.,“Jane Doe”. In various embodiments, hash values generated for fragmentscan be used to de-duplicate fragments that correspond to duplicate data,as described below.

The de-duplication engine 206 can be configured to de-duplicatefragments ingested by the fragment ingestion engine 204. In variousembodiments, the de-duplication engine 206 can de-duplicate fragmentsbased at least on respective hash values generated for the fragments. Asmentioned above, hash values for fragments that correspond to duplicatedata will be identical. For example, a hash value for a first fragmentassociated with an instance of data corresponding to a name “Jane Doe”will be identical to a hash value for a second fragment associated withanother instance of the name “Jane Doe”. In the foregoing example, thede-duplication engine 206 can de-duplicate the first fragment and thesecond fragment based on the fragments having the same hash value. Insome embodiments, the de-duplication engine 206 can de-duplicatefragments based on their hash values and other associated information.For example, if the first fragment is associated with a first accesscontrol identifier and the second fragment is associated with a secondaccess control identifier, then no de-duplication occurs since the firstfragment “Jane Doe” is associated with a different access controlidentifier than the second fragment “Jane Doe”. In contrast, if both thefirst and second fragments are associated with only a first accesscontrol identifier, then the fragments can be de-duplicated since theyboth correspond to the same name “Jane Doe” and are associated with onlythe first access control identifier. In various embodiments, thede-duplication engine 206 can represent the de-duplicated fragments as asingle object data source record (DSR) within the data platform system152 that is associated with the hash value and one or more accesscontrol identifiers shared amongst the de-duplicated fragments. Invarious embodiments, users and administrators can inspect the provenanceof de-duplicated fragments to determine an original data source fromwhich a given fragment was ingested.

The fragment update engine 208 can be configured to apply various ruleswhen implementing changes to fragments that have been de-duplicated andrepresented in object form within the data platform system 152. Forexample, in some embodiments, when a fragment associated with a givenDSR identifier is deleted in the integration system 122, the fragmentupdate engine 208 determines whether any corresponding fragment DSRs areknown to the integration system 122. For example, if the deletedfragment corresponds to the name “Jane Doe”, the fragment update engine208 determines whether any other fragment DSRs are associated with thedeleted fragment. If no other corresponding fragment DSRs exist, thefragment update engine 208 requests deletion of a corresponding objectDSR associated with the deleted fragment in the data platform system152. If other corresponding fragment DSRs exist, then the fragmentupdate engine 208 takes no action.

In some embodiments, when access control information (e.g., one or moreaccess control identifiers) associated with a fragment with a given DSRis modified in the integration system 122, the fragment update engine208 determines whether any corresponding fragment DSRs are known to theintegration system 122. For example, if the modified fragmentcorresponds to the name “Jane Doe” and is associated with a first accesscontrol identifier, the fragment update engine 208 determines whetherany other fragment DSRs corresponding to the name “Jane Doe” andassociated with the first access control identifier exist. If othercorresponding fragments exist, then the fragment update engine 208requests creation of a new corresponding object DSR in the data platformsystem 152 based on the modified access control information. If no othercorresponding fragments exist, the fragment update engine 208 requestssimilar modification of access control information associated with acorresponding object DSR in the data platform system 152.

In some embodiments, when access control information associated with afragment and a given DSR is modified and then the fragment is deleted inthe integration system 122, the fragment update engine 208 determineswhether any corresponding fragment DSRs are known to the integrationsystem 122. If other corresponding fragment DSRs exist, then thefragment update engine 208 takes no action.

If no other corresponding fragment DSRs exist, the fragment updateengine 208 determines whether access control information associated withother fragment DSRs is simultaneously being modified and then beingdeleted. If such other fragments exist, the fragment update engine 208requests modification of access control information associated with acorresponding object DSR in the data platform system 152 to match one ofthe new access control identifiers (deterministically chosen) andrequests deletion of the object DSR. If no such fragments exist, thefragment update engine 208 requests modification of access controlinformation associated with a corresponding object DSR in the dataplatform system 152 to match the new access control identifier andrequests deletion of the object DSR.

The invariant enforcement engine 210 can be configured to enforce a setof invariants. For example, in some embodiments, the invariantenforcement engine 210 ensures there exists at least one object DSR inthe data platform system 152 which corresponds to each fragment DSR inthe integration system 122. In some embodiments, the invariantenforcement engine 210 ensures there do not exist any object DSRs in thedata platform system 152 which do not correspond to at least onefragment DSR in the integration system 122. In some embodiments, theinvariant enforcement engine 210 ensures object history in the dataplatform system 152 does not reveal information about object components(e.g., object properties) using their previously associated accesscontrol identifiers. For example, a component whose access controlinformation was modified prior to deletion should not appear under anaccess control identifier that was previously associated with thecomponent. In various embodiments, the invariant enforcement engine 210can generate one or more notifications or errors when a given invariantis breached. In some embodiments, the invariant enforcement engine 210can generate an error log describing breached invariants and relatedinformation.

FIG. 3 illustrates a flowchart of an example method 300, according tovarious embodiments of the present disclosure. The method 300 may beimplemented in various environments including, for example, theenvironment 200 of FIG. 2 . The operations of method 300 presented beloware intended to be illustrative. Depending on the implementation, theexample method 300 may include additional, fewer, or alternative stepsperformed in various orders or in parallel. The example method 300 maybe implemented in various computing systems or devices including one ormore processors.

At block 302, data can be ingested from various external data sources.For example, the data may be ingested as part of an integration, such asthe integration data 102 of FIG. 1A. At block 304, fragment data can bedetermined based on the ingested data. For example, fragmentscorresponding to ingested instances of data can be created along withone or more corresponding data source records and hash values offragment content, as described above. At block 306, the fragments can bede-duplicated. For example, the fragments can be de-duplicated based ontheir hash values and other associated information (e.g., access controlidentifiers, data source identifiers, etc.). At block 308, correspondingobject data source records (DSRs) can be determined from thede-duplicated fragments, as described above.

FIG. 4 illustrates a flowchart of an example method 400, according tovarious embodiments of the present disclosure. The method 400 may beimplemented in various environments including, for example, theenvironment 200 of FIG. 2 . The operations of method 400 presented beloware intended to be illustrative. Depending on the implementation, theexample method 400 may include additional, fewer, or alternative stepsperformed in various orders or in parallel. The example method 400 maybe implemented in various computing systems or devices including one ormore processors.

At block 402, multiple fragments of data to be imported are determined(or accessed), the multiple fragments of data corresponding to differentinstances of data obtained from one or more external data sources, thedifferent instances of data each corresponding to duplicate content. Atblock 404, the multiple fragments of data that each correspond todifferent instances of duplicate content can be ingested. At block 406,the multiple fragments of data can be de-duplicated to determine one ormore corresponding object data source records (DSRs). At block 408, theone or more object DSRs can be imported within a data platform system.

Hardware Implementation

The techniques described herein are implemented by one or morespecial-purpose computing devices. The special-purpose computing devicesmay be hard-wired to perform the techniques, or may include circuitry ordigital electronic devices such as one or more application-specificintegrated circuits (ASICs) or field programmable gate arrays (FPGAs)that are persistently programmed to perform the techniques, or mayinclude one or more hardware processors programmed to perform thetechniques pursuant to program instructions in firmware, memory, otherstorage, or a combination. Such special-purpose computing devices mayalso combine custom hard-wired logic, ASICs, or FPGAs with customprogramming to accomplish the techniques. The special-purpose computingdevices may be desktop computer systems, server computer systems,portable computer systems, handheld devices, networking devices or anyother device or combination of devices that incorporate hard-wiredand/or program logic to implement the techniques.

Computing device(s) are generally controlled and coordinated byoperating system software, such as iOS, Android, Chrome OS, Windows XP,Windows Vista, Windows 7, Windows 8, Windows Server, Windows CE, Unix,Linux, SunOS, Solaris, iOS, Blackberry OS, VxWorks, or other compatibleoperating systems. In other embodiments, the computing device may becontrolled by a proprietary operating system. Conventional operatingsystems control and schedule computer processes for execution, performmemory management, provide file system, networking, I/O services, andprovide a user interface functionality, such as a graphical userinterface (“GUI”), among other things.

FIG. 5 is a block diagram that illustrates a computer system 500 uponwhich any of the embodiments described herein may be implemented. Thecomputer system 500 includes a bus 502 or other communication mechanismfor communicating information, one or more hardware processors 504coupled with bus 502 for processing information. Hardware processor(s)504 may be, for example, one or more general purpose microprocessors.

The computer system 500 also includes a main memory 506, such as arandom access memory (RAM), cache and/or other dynamic storage devices,coupled to bus 502 for storing information and instructions to beexecuted by processor 504. Main memory 506 also may be used for storingtemporary variables or other intermediate information during executionof instructions to be executed by processor 504. Such instructions, whenstored in storage media accessible to processor 504, render computersystem 500 into a special-purpose machine that is customized to performthe operations specified in the instructions.

The computer system 500 further includes a read only memory (ROM) 508 orother static storage device coupled to bus 502 for storing staticinformation and instructions for processor 504. A storage device 510,such as a magnetic disk, optical disk, or USB thumb drive (Flash drive),etc., is provided and coupled to bus 502 for storing information andinstructions.

The computer system 500 may be coupled via bus 502 to a display 512,such as a cathode ray tube (CRT) or LCD display (or touch screen), fordisplaying information to a computer user. An input device 514,including alphanumeric and other keys, is coupled to bus 502 forcommunicating information and command selections to processor 504.Another type of user input device is cursor control 516, such as amouse, a trackball, or cursor direction keys for communicating directioninformation and command selections to processor 504 and for controllingcursor movement on display 512. This input device typically has twodegrees of freedom in two axes, a first axis (e.g., x) and a second axis(e.g., y), that allows the device to specify positions in a plane. Insome embodiments, the same direction information and command selectionsas cursor control may be implemented via receiving touches on a touchscreen without a cursor.

The computing system 500 may include a user interface module (or engine)to implement a GUI that may be stored in a mass storage device asexecutable software codes that are executed by the computing device(s).This and other modules may include, by way of example, components, suchas software components, object-oriented software components, classcomponents and task components, processes, functions, attributes,procedures, subroutines, segments of program code, drivers, firmware,microcode, circuitry, data, databases, data structures, tables, arrays,and variables.

In general, the word “module,” as used herein, refers to logic embodiedin hardware or firmware, or to a collection of software instructions,possibly having entry and exit points, written in a programminglanguage, such as, for example, Java, C or C++. A software module may becompiled and linked into an executable program, installed in a dynamiclink library, or may be written in an interpreted programming languagesuch as, for example, BASIC, Perl, or Python. It will be appreciatedthat software modules (or engines) may be callable from other modules orfrom themselves, and/or may be invoked in response to detected events orinterrupts. Software modules configured for execution on computingdevices may be provided on a computer readable medium, such as a compactdisc, digital video disc, flash drive, magnetic disc, or any othertangible medium, or as a digital download (and may be originally storedin a compressed or installable format that requires installation,decompression or decryption prior to execution). Such software code maybe stored, partially or fully, on a memory device of the executingcomputing device, for execution by the computing device. Softwareinstructions may be embedded in firmware, such as an EPROM. It will befurther appreciated that hardware modules may be comprised of connectedlogic units, such as gates and flip-flops, and/or may be comprised ofprogrammable units, such as programmable gate arrays or processors. Themodules or computing device functionality described herein arepreferably implemented as software modules, but may be represented inhardware or firmware. Generally, the modules described herein refer tological modules that may be combined with other modules or divided intosub-modules despite their physical organization or storage.

The computer system 500 may implement the techniques described hereinusing customized hard-wired logic, one or more ASICs or FPGAs, firmwareand/or program logic which in combination with the computer systemcauses or programs computer system 500 to be a special-purpose machine.According to one embodiment, the techniques herein are performed bycomputer system 500 in response to processor(s) 504 executing one ormore sequences of one or more instructions contained in main memory 506.Such instructions may be read into main memory 506 from another storagemedium, such as storage device 510. Execution of the sequences ofinstructions contained in main memory 506 causes processor(s) 504 toperform the process steps described herein. In alternative embodiments,hard-wired circuitry may be used in place of or in combination withsoftware instructions.

The term “non-transitory media,” and similar terms, as used hereinrefers to any media that store data and/or instructions that cause amachine to operate in a specific fashion. Such non-transitory media maycomprise non-volatile media and/or volatile media. Non-volatile mediaincludes, for example, optical or magnetic disks, such as storage device510. Volatile media includes dynamic memory, such as main memory 506.Common forms of non-transitory media include, for example, a floppydisk, a flexible disk, hard disk, solid state drive, magnetic tape, orany other magnetic data storage medium, a CD-ROM, any other optical datastorage medium, any physical medium with patterns of holes, a RAM, aPROM, and EPROM, a FLASH-EPROM, NVRAM, any other memory chip orcartridge, and networked versions of the same.

Non-transitory media is distinct from but may be used in conjunctionwith transmission media. Transmission media participates in transferringinformation between non-transitory media. For example, transmissionmedia includes coaxial cables, copper wire and fiber optics, includingthe wires that comprise bus 502. Transmission media can also take theform of acoustic or light waves, such as those generated duringradio-wave and infra-red data communications.

Various forms of media may be involved in carrying one or more sequencesof one or more instructions to processor 504 for execution. For example,the instructions may initially be carried on a magnetic disk or solidstate drive of a remote computer. The remote computer can load theinstructions into its dynamic memory and send the instructions over atelephone line using a modem. A modem local to computer system 500 canreceive the data on the telephone line and use an infra-red transmitterto convert the data to an infra-red signal. An infra-red detector canreceive the data carried in the infra-red signal and appropriatecircuitry can place the data on bus 502. Bus 502 carries the data tomain memory 506, from which processor 504 retrieves and executes theinstructions. The instructions received by main memory 506 may retrievesand executes the instructions. The instructions received by main memory506 may optionally be stored on storage device 510 either before orafter execution by processor 504.

The computer system 500 also includes a communication interface 518coupled to bus 502. Communication interface 518 provides a two-way datacommunication coupling to one or more network links that are connectedto one or more local networks. For example, communication interface 518may be an integrated services digital network (ISDN) card, cable modem,satellite modem, or a modem to provide a data communication connectionto a corresponding type of telephone line. As another example,communication interface 518 may be a local area network (LAN) card toprovide a data communication connection to a compatible LAN (or WANcomponent to communicated with a WAN). Wireless links may also beimplemented. In any such implementation, communication interface 518sends and receives electrical, electromagnetic or optical signals thatcarry digital data streams representing various types of information.

A network link typically provides data communication through one or morenetworks to other data devices. For example, a network link may providea connection through local network to a host computer or to dataequipment operated by an Internet Service Provider (ISP). The ISP inturn provides data communication services through the world wide packetdata communication network now commonly referred to as the “Internet”.Local network and Internet both use electrical, electromagnetic oroptical signals that carry digital data streams. The signals through thevarious networks and the signals on network link and throughcommunication interface 518, which carry the digital data to and fromcomputer system 500, are example forms of transmission media.

The computer system 500 can send messages and receive data, includingprogram code, through the network(s), network link and communicationinterface 518. In the Internet example, a server might transmit arequested code for an application program through the Internet, the ISP,the local network and the communication interface 518.

The received code may be executed by processor 504 as it is received,and/or stored in storage device 510, or other non-volatile storage forlater execution.

Each of the processes, methods, and algorithms described in thepreceding sections may be embodied in, and fully or partially automatedby, code modules executed by one or more computer systems or computerprocessors comprising computer hardware. The processes and algorithmsmay be implemented partially or wholly in application-specificcircuitry.

The various features and processes described above may be usedindependently of one another, or may be combined in various ways. Allpossible combinations and sub-combinations are intended to fall withinthe scope of this disclosure. In addition, certain method or processblocks may be omitted in some implementations. The methods and processesdescribed herein are also not limited to any particular sequence, andthe blocks or states relating thereto can be performed in othersequences that are appropriate. For example, described blocks or statesmay be performed in an order other than that specifically disclosed, ormultiple blocks or states may be combined in a single block or state.The example blocks or states may be performed in serial, in parallel, orin some other manner. Blocks or states may be added to or removed fromthe disclosed example embodiments. The example systems and componentsdescribed herein may be configured differently than described. Forexample, elements may be added to, removed from, or rearranged comparedto the disclosed example embodiments.

Conditional language, such as, among others, “can,” “could,” “might,” or“may,” unless specifically stated otherwise, or otherwise understoodwithin the context as used, is generally intended to convey that certainembodiments include, while other embodiments do not include, certainfeatures, elements and/or steps. Thus, such conditional language is notgenerally intended to imply that features, elements and/or steps are inany way required for one or more embodiments or that one or moreembodiments necessarily include logic for deciding, with or without userinput or prompting, whether these features, elements and/or steps areincluded or are to be performed in any particular embodiment.

Any process descriptions, elements, or blocks in the flow diagramsdescribed herein and/or depicted in the attached figures should beunderstood as potentially representing modules, segments, or portions ofcode which include one or more executable instructions for implementingspecific logical functions or steps in the process. Alternateimplementations are included within the scope of the embodimentsdescribed herein in which elements or functions may be deleted, executedout of order from that shown or discussed, including substantiallyconcurrently or in reverse order, depending on the functionalityinvolved, as would be understood by those skilled in the art.

It should be emphasized that many variations and modifications may bemade to the above-described embodiments, the elements of which are to beunderstood as being among other acceptable examples. All suchmodifications and variations are intended to be included herein withinthe scope of this disclosure. The foregoing description details certainembodiments of the invention. It will be appreciated, however, that nomatter how detailed the foregoing appears in text, the invention can bepracticed in many ways. As is also stated above, it should be noted thatthe use of particular terminology when describing certain features oraspects of the invention should not be taken to imply that theterminology is being re-defined herein to be restricted to including anyspecific characteristics of the features or aspects of the inventionwith which that terminology is associated. The scope of the inventionshould therefore be construed in accordance with the appended claims andany equivalents thereof.

Engines, Components, and Logic

Certain embodiments are described herein as including logic or a numberof components, engines, or mechanisms. Engines may constitute eithersoftware engines (e.g., code embodied on a machine-readable medium) orhardware engines. A “hardware engine” is a tangible unit capable ofperforming certain operations and may be configured or arranged in acertain physical manner. In various example embodiments, one or morecomputer systems (e.g., a standalone computer system, a client computersystem, or a server computer system) or one or more hardware engines ofa computer system (e.g., a processor or a group of processors) may beconfigured by software (e.g., an application or application portion) asa hardware engine that operates to perform certain operations asdescribed herein.

In some embodiments, a hardware engine may be implemented mechanically,electronically, or any suitable combination thereof. For example, ahardware engine may include dedicated circuitry or logic that ispermanently configured to perform certain operations. For example, ahardware engine may be a special-purpose processor, such as aField-Programmable Gate Array (FPGA) or an Application SpecificIntegrated Circuit (ASIC). A hardware engine may also includeprogrammable logic or circuitry that is temporarily configured bysoftware to perform certain operations. For example, a hardware enginemay include software executed by a general-purpose processor or otherprogrammable processor. Once configured by such software, hardwareengines become specific machines (or specific components of a machine)uniquely tailored to perform the configured functions and are no longergeneral-purpose processors. It will be appreciated that the decision toimplement a hardware engine mechanically, in dedicated and permanentlyconfigured circuitry, or in temporarily configured circuitry (e.g.,configured by software) may be driven by cost and time considerations.

Accordingly, the phrase “hardware engine” should be understood toencompass a tangible entity, be that an entity that is physicallyconstructed, permanently configured (e.g., hardwired), or temporarilyconfigured (e.g., programmed) to operate in a certain manner or toperform certain operations described herein. As used herein,“hardware-implemented engine” refers to a hardware engine. Consideringembodiments in which hardware engines are temporarily configured (e.g.,programmed), each of the hardware engines need not be configured orinstantiated at any one instance in time. For example, where a hardwareengine comprises a general-purpose processor configured by software tobecome a special-purpose processor, the general-purpose processor may beconfigured as respectively different special-purpose processors (e.g.,comprising different hardware engines) at different times. Softwareaccordingly configures a particular processor or processors, forexample, to constitute a particular hardware engine at one instance oftime and to constitute a different hardware engine at a differentinstance of time.

Hardware engines can provide information to, and receive informationfrom, other hardware engines. Accordingly, the described hardwareengines may be regarded as being communicatively coupled. Where multiplehardware engines exist contemporaneously, communications may be achievedthrough signal transmission (e.g., over appropriate circuits and buses)between or among two or more of the hardware engines. In embodiments inwhich multiple hardware engines are configured or instantiated atdifferent times, communications between such hardware engines may beachieved, for example, through the storage and retrieval of informationin memory structures to which the multiple hardware engines have access.For example, one hardware engine may perform an operation and store theoutput of that operation in a memory device to which it iscommunicatively coupled. A further hardware engine may then, at a latertime, access the memory device to retrieve and process the storedoutput. Hardware engines may also initiate communications with input oroutput devices, and can operate on a resource (e.g., a collection ofinformation).

The various operations of example methods described herein may beperformed, at least partially, by one or more processors that aretemporarily configured (e.g., by software) or permanently configured toperform the relevant operations. Whether temporarily or permanentlyconfigured, such processors may constitute processor-implemented enginesthat operate to perform one or more operations or functions describedherein. As used herein, “processor-implemented engine” refers to ahardware engine implemented using one or more processors.

Similarly, the methods described herein may be at least partiallyprocessor-implemented, with a particular processor or processors beingan example of hardware. For example, at least some of the operations ofa method may be performed by one or more processors orprocessor-implemented engines. Moreover, the one or more processors mayalso operate to support performance of the relevant operations in a“cloud computing” environment or as a “software as a service” (SaaS).For example, at least some of the operations may be performed by a groupof computers (as examples of machines including processors), with theseoperations being accessible via a network (e.g., the Internet) and viaone or more appropriate interfaces (e.g., an Application ProgramInterface (API)).

The performance of certain of the operations may be distributed amongthe processors, not only residing within a single machine, but deployedacross a number of machines. In some example embodiments, the processorsor processor-implemented engines may be located in a single geographiclocation (e.g., within a home environment, an office environment, or aserver farm). In other example embodiments, the processors orprocessor-implemented engines may be distributed across a number ofgeographic locations.

Language

Throughout this specification, plural instances may implementcomponents, operations, or structures described as a single instance.Although individual operations of one or more methods are illustratedand described as separate operations, one or more of the individualoperations may be performed concurrently, and nothing requires that theoperations be performed in the order illustrated. Structures andfunctionality presented as separate components in example configurationsmay be implemented as a combined structure or component. Similarly,structures and functionality presented as a single component may beimplemented as separate components. These and other variations,modifications, additions, and improvements fall within the scope of thesubject matter herein.

Although an overview of the subject matter has been described withreference to specific example embodiments, various modifications andchanges may be made to these embodiments without departing from thebroader scope of embodiments of the present disclosure. Such embodimentsof the subject matter may be referred to herein, individually orcollectively, by the term “invention” merely for convenience and withoutintending to voluntarily limit the scope of this application to anysingle disclosure or concept if more than one is, in fact, disclosed.

The embodiments illustrated herein are described in sufficient detail toenable those skilled in the art to practice the teachings disclosed.Other embodiments may be used and derived therefrom, such thatstructural and logical substitutions and changes may be made withoutdeparting from the scope of this disclosure. The Detailed Description,therefore, is not to be taken in a limiting sense, and the scope ofvarious embodiments is defined only by the appended claims, along withthe full range of equivalents to which such claims are entitled.

It will be appreciated that an “engine,” “system,” “data store,” and/or“database” may comprise software, hardware, firmware, and/or circuitry.In one example, one or more software programs comprising instructionscapable of being executable by a processor may perform one or more ofthe functions of the engines, data stores, databases, or systemsdescribed herein. In another example, circuitry may perform the same orsimilar functions. Alternative embodiments may comprise more, less, orfunctionally equivalent engines, systems, data stores, or databases, andstill be within the scope of present embodiments. For example, thefunctionality of the various systems, engines, data stores, and/ordatabases may be combined or divided differently.

“Open source” software is defined herein to be source code that allowsdistribution as source code as well as compiled form, with awell-publicized and indexed means of obtaining the source, optionallywith a license that allows modifications and derived works.

The data stores described herein may be any suitable structure (e.g., anactive database, a relational database, a self-referential database, atable, a matrix, an array, a flat file, a documented-oriented storagesystem, a non-relational No-SQL system, and the like), and may becloud-based or otherwise.

As used herein, the term “or” may be construed in either an inclusive orexclusive sense. Moreover, plural instances may be provided forresources, operations, or structures described herein as a singleinstance. Additionally, boundaries between various resources,operations, engines, engines, and data stores are somewhat arbitrary,and particular operations are illustrated in a context of specificillustrative configurations. Other allocations of functionality areenvisioned and may fall within a scope of various embodiments of thepresent disclosure. In general, structures and functionality presentedas separate resources in the example configurations may be implementedas a combined structure or resource. Similarly, structures andfunctionality presented as a single resource may be implemented asseparate resources. These and other variations, modifications,additions, and improvements fall within a scope of embodiments of thepresent disclosure as represented by the appended claims. Thespecification and drawings are, accordingly, to be regarded in anillustrative rather than a restrictive sense.

Conditional language, such as, among others, “can,” “could,” “might,” or“may,” unless specifically stated otherwise, or otherwise understoodwithin the context as used, is generally intended to convey that certainembodiments include, while other embodiments do not include, certainfeatures, elements and/or steps. Thus, such conditional language is notgenerally intended to imply that features, elements and/or steps are inany way required for one or more embodiments or that one or moreembodiments necessarily include logic for deciding, with or without userinput or prompting, whether these features, elements and/or steps areincluded or are to be performed in any particular embodiment.

Although the invention has been described in detail for the purpose ofillustration based on what is currently considered to be the mostpractical and preferred implementations, it is to be understood thatsuch detail is solely for that purpose and that the invention is notlimited to the disclosed implementations, but, on the contrary, isintended to cover modifications and equivalent arrangements that arewithin the spirit and scope of the appended claims. For example, it isto be understood that the present invention contemplates that, to theextent possible, one or more features of any embodiment can be combinedwith one or more features of any other embodiment.

1. A system comprising: one or more processors; and a memory storinginstructions that, when executed by the one or more processors, causethe system to perform: determining fragments of data to be imported, thefragments of data corresponding to different instances of data obtainedfrom one or more external data sources; ingesting the fragments of datato a data platform; determining one or more respective object datasource records (DSRs) of the fragments of data; importing the one ormore object DSRs within the data platform; determining that accesscontrol information associated with a first fragment of the fragmentshas been modified into modified access control information, wherein thefirst fragment is associated with a particular object DSR; andselectively modifying the particular object DSR based on the modifiedaccess control information.
 2. The system of claim 1, wherein theselective modification of the particular object DSR is based on adetermination of whether a second fragment is associated with the accesscontrol information and the particular object DSR.
 3. The system ofclaim 1, wherein the selective modification of the particular object DSRcomprises: in response to determining that a second fragment isassociated with the access control information and the particular objectDSR, refraining from modifying the particular object DSR; and inresponse to determining a nonexistence of any fragments that areassociated with the access control information and the particular objectDSR, modifying the particular object DSR.
 4. The system of claim 1,wherein the instructions further cause the system to perform: receivingan indication that, in response to determining that the access controlinformation associated with the first fragment has been modified intothe modified access control information, the first fragment has beendeleted; in response to receiving the indication that the first fragmenthas been deleted, and in response to determining that any fragmentwithin the data platform is associated with a different object DSR thanthe particular object DSR or with different access control informationthan the access control information, deleting the particular object DSR.5. The system of claim 4, wherein the instructions further cause thesystem to perform: in response to determining that any fragment withinthe data platform is associated with a different object DSR than theparticular object DSR or with different access control information thanthe access control information, determining second access controlinformation of any fragment within the data platform that was previouslyassociated with the particular object DSR and the access controlinformation; and modifying the particular object DSR according to thesecond access control information or the modified access controlinformation.
 6. The system of claim 5, wherein the instructions furthercause the system to perform: in response to determining that no otherfragment is being modified with respect to the access controlinformation, modifying the particular object DSR according to themodified access control information.
 7. The system of claim 5, whereinthe modifying of the particular object DSR according to the modifiedsecond access control information or the modified access controlinformation comprises a deterministic process to select whether themodifying is according to the modified second access control informationor the modified access control information.
 8. The system of claim 1,wherein the instructions further cause the system to perform: hiding ordeleting, in the data platform, the access control informationassociated with the first fragment in response to: determining that theaccess control information associated with the first fragment has beenmodified into the modified access control information.
 9. The system ofclaim 1, wherein the selective modification of the particular object DSRcomprises: in response to determining that a second fragment isassociated with the access control information and the particular objectDSR, creating a new object DSR corresponding to the modified accesscontrol information.
 10. The system of claim 1, wherein, in response tothe modification of the access control information into the modifiedaccess control information, a hash value of the first fragment remainsunchanged.
 11. A computer-implemented method, comprising: determiningfragments of data to be imported, the fragments of data corresponding todifferent instances of data obtained from one or more external datasources; ingesting the fragments of data to a data platform; determiningone or more respective object data source records (DSRs) of thefragments of data; importing the one or more object DSRs within the dataplatform; determining that access control information associated with afirst fragment of the fragments has been modified into modified accesscontrol information, wherein the first fragment is associated with aparticular object DSR; and selectively modifying the particular objectDSR based on the modified access control information.
 12. Thecomputer-implemented method of claim 11, wherein the selectivemodification of the particular object DSR is based on a determination ofwhether a second fragment is associated with the access controlinformation and the particular object DSR.
 13. The computer-implementedmethod of claim 11, wherein the selective modification of the particularobject DSR comprises: in response to determining that a second fragmentis associated with the access control information and the particularobject DSR, refraining from modifying the particular object DSR; and inresponse to determining a nonexistence of any fragments that areassociated with the access control information and the particular objectDSR, modifying the particular object DSR.
 14. The computer-implementedmethod of claim 11, further comprising: receiving an indication that, inresponse to determining that the access control information associatedwith the first fragment has been modified into the modified accesscontrol information, the first fragment has been deleted; and inresponse to receiving the indication that the first fragment has beendeleted, and in response to determining that any fragment within thedata platform is associated with a different object DSR than theparticular object DSR or with different access control information thanthe access control information, deleting the particular object DSR. 15.The computer-implemented method of claim 14, further comprising: inresponse to determining that any fragment within the data platform isassociated with a different object DSR than the particular object DSR orwith different access control information than the access controlinformation, determining second access control information of anyfragment within the data platform that was previously associated withthe particular object DSR and the access control information; andmodifying the particular object DSR according to the second accesscontrol information or the modified access control information.
 16. Thecomputer-implemented method of claim 15, further comprising: in responseto determining that no other fragment is being modified with respect tothe access control information, modifying the particular object DSRaccording to the modified access control information.
 17. Thecomputer-implemented method of claim 15, wherein the modifying of theparticular object DSR according to the modified second access controlinformation or the modified access control information comprises adeterministic process to select whether the modifying is according tothe modified second access control information or the modified accesscontrol information.
 18. The computer-implemented method of claim 11,further comprising: hiding or deleting, in the data platform, the accesscontrol information associated with the first fragment in response to:determining that the access control information associated with thefirst fragment has been modified into the modified access controlinformation.
 19. The computer-implemented method of claim 11, whereinthe selective modification of the particular object DSR comprises: inresponse to determining that a second fragment is associated with theaccess control information and the particular object DSR, creating a newobject DSR corresponding to the modified access control information. 20.The computer-implemented method of claim 11, wherein, in response to themodification of the access control information into the modified accesscontrol information, a hash value of the first fragment remainsunchanged.